ipv6 ipsec & icmpv6

I read this paragraph concerning icmpv6 and ipsec (see attached). Can the experts elaborate on this? Thx

icmpv6 and ipsec
LVL 1
leblancAccountingAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
I simply see that IPv6 support of IPSec is mandatory, but the use is not. However, the "myth" that IPv6 packet even including ICMPv6 can be riding onto the IPSec tunnel is supposed to be saved since FW will allow IPSec, malware ride on the fact of this and tunnel in IPSec tunnel and bypass FW checks (they can see the IPv6 payload. However, for IPv4 ICMP does not has such mandatory and by default, IPv4 ICMP is drop by FW as they can be of malicious intent and even use as ICMP flooding DoS...but it make no different if ICMPv4 tunnel through IPSec which FW is allowed...IN short this is not really sound statement to say "Why use IPv6"

Below are more info for reading in Cisco and NTIA ref
http://www.ntia.doc.gov/legacy/ntiahome/ntiageneral/ipv6/final/IPv6final3.htm

In the IPv6 project many new technologies, that did not exist at the time in IPv4, was developed – like IPsec. IPsec is a technology for setting up secure tunnels between hosts or networks. Like many other new things invented for IPv6, IPsec was ported to IPv4 and has been around for many years. At the time where IPv6 and IPsec was invented, there may have been reasons to claim that IPv6 could be more secure than IPv4 (which did not have any secure VPNs). Today, that claim is no longer valid. There are no differences between IPv4 and IPv6 in terms of security. Yes, more IPv6 stacks will have built in support for IPsec, which is a good thing. But that doesn’t make the protocol by itself more secure.

From the beginning, the IPv6 standard has mandated support for IPSec. Many people have falsely translated that to mean an increase in security for IPv6 networks (even though IPSec only deals with authentication, integrity and confidentiality of connections).

IPSec by itself can not stop all attacks against the IPv6 protocol, such as application-level attacks. Although IPsec support is mandatory in IPv6, IPsec use is not. In fact, many current IPv6 implementations do not include IPsec. It can’t even be realistically used for all connections. E.g. Many necessary ICMP messages utilize multicast. Utilizing IPSec for these multicast messages is not feasible. Key management for supporting IPSec for each and every connection on an Internet-wide scale for IPv6 is also definitely not trivial.

Therefore, the utilization of IPSec in IPv6 networks will not dramatically increase beyond the levels currently used for IPv4 networks for some time to come. So in reality, both IPv4 and IPv6 have associated security issues (not necessarily the same), but neither protocol is really more secure than the other.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
surbabu140977Commented:
I guess what it means is: in some implementations of IPv6-- support of IPsec is manadatory. But it is not necessary to enable IPsec even though it's supported. In that sense, if you enable ipsec then icmpv6 would travel through IPsec.......

e.g in some linux distro, roll out of ipv6 would require you to support IPsec but you can live without enabling it........
0
harbor235Commented:
IPV6 was designed wth IPSEC in mind, in fact IPSEC was developed in the IPV6 development groups and then was integrated into IPV4 later. My point is that IPV6 is a mandatory part of the IPV6 design. So, it is up to the user/application to use IPV6 IPSEC or not.

So, IPV6 IPSEC can be utilized at the network layer e.g. VPNs etc ... or an application can use the inherent IPV6 IPSEC framework to secure a flow from an application perspective.


IPV6 IPSEC is part of the header, its not a bolt on like IPV4. Because it is integrated we can now protect more parts of the IPV6 packet in transit.

harbor235 ;}
0
nociSoftware EngineerCommented:
Some icmp packets for IPv4 as well as IPv6 should be viewed carefully.
ping is not one of them. The ones that do matter concern (re)routing  and those occur in both versions of ICMP
Also security can be disputed. The IPv4 stacks have weathered the various attacks.
IPv6 stacks are fresh to the world at large, so expect some faults in implementation to surface during the coming years.

Here is a site which presents a lot of info about security w.r.t. IPv6
http://www.si6networks.com/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.